Deploying vault HA on a k8s cluster using RWX


What would be the problem of deploying vault using RWX rather than RWO if Raft is enabled to ensure proper writing of the data in all the replicated PVC ?

The situation we have is the following: a statefulset with 3 replicas and 3 pvcs.

Statefulset should deploy only with RWO, but vault has protections in place to avoid writing to multiple pvs, so what would be the problem deploying in RWX to avoid problem when replicas are re-generated (we scale them down at a certain time) ?

Thank you !

Um, no?

The Raft algorithm relies on data being committed to a quorum of PVs (and eventually all of them), to provide its consistency properties.

Doesn’t Vault uses a lock in HA mode and select a specific node and that node becomes the active one preventing data being written by the other nodes? Then Raft takes over the proliferation of the data to the other PVC or I misunderstood how the HA works ?

Vault and Raft are not two separate processes, though. Raft is a library of code which is used within the main Vault process. Each Vault node, and the Raft code included within it, needs sole access to its own PVC, and will be continuously writing to it during normal operation.

gotcha, but due to the way that vault work, using RWX rather than RWO wouldn’t it be ok if in HA mode ?

No, it wouldn’t.

Please explain why you think it would be OK?

Well no other pod would be connected to the PVs other than the vault ones and there would be only one of the vault chosen as active one.

The thing is that we are using longhorn, and it does not seem to like a reduction of replicas to 0 and then when spinning back 3 replicas it cannot associate the pods to the right node and that causes failure in attaching the pods back to pvcs

Regardless of which pod is active, they are still all writing to their PVCs

That sounds like something to take up with the Longhorn project, Vault’s usage of PVCs is pretty unremarkable, it’s just the super-common case of a private PVC per member of a StatefulSet.

Got it, i though that the leader selector prevented this type of issue, thanks for the information !